Hackers like to manipulate legitimate software tools and applications to carry out their malicious activities, and Microsoft Word becomes the latest program used by the bad actors to spread file-encrypting malware and/or Trojan to steal money from businesses.
Security researchers have discovered a new scheme by hackers in which they disguise a specially created Word document developed from the Microsoft Word Intruder exploit tool in order to penetrate the Word ecosystem and create an opening for malware.
Once a user opens the attachment in an email – a typical attack vector employed by hackers – the malware will start to infect the victim’s computer. Security experts warn against opening attachments contained in an email sent by an unknown person or an organization that purports itself to be, say, a charitable group or a lottery or a well-known financial services firm offering its products to you.
More specifically, the Hawkeye attack has targeted many individuals, usually employees in a company. The attack has so far stolen hundreds of thousands of dollars from business. The malware works to crash computer systems with unpatched problems by developing or purchasing a Word document. The Word file also contains various types of viruses, and it depends on the hacker what kind of virus to install in the system of the victim. According to the researchers who spotted the attack scheme, Hawkeye contains a keylogger.
Since the target is the business sector, the hackers would spread the malicious Word file to different employees in many companies, usually those who work in the finance department. The hackers will state in the seemingly legitimate email that they are sending a quote request or order. Typically, emails like this will be welcomed for the prospect of a business deal.
The keylogger works by installing itself when the employee opens the Word document, without the victim knowing it. Once installed, the keylogger then keeps track of an employee’s corporate email username and password and uses the stolen data to log in to the corporate email account. The hackers would use the privilege to send another email message to a client claiming that the bank account number for the payment has been replaced, which is actually the bank account of the hackers.
According to the security researchers, the payout for this sort of attack could reach more than $1 million, so although there are few incidents involving such a scheme, the high-value payout still makes it a big deal. Again, the best way to counter this is not to open unsolicited email.